Hole allowing Hotmail password resets has been closed.

Microsoft quietly fixed a flaw in Hotmail's password reset system that allowed anyone to reset the password of any Hotmail account last Friday. The company was notified of the flaw on April 20th and responded with a fix within hours—but not until after widespread attacks, with the bug apparently spreading "like wild fire" in the hacking community.

Hotmail's password reset system uses a token system to ensure that only the account holder can reset their password: a link with the token is sent to an account linked to the Hotmail account, and clicking the link lets the account owner reset their password. However, the validation of these tokens isn't handled properly by Hotmail, allowing attackers to reset passwords of any account.

Initially hackers were offering to crack accounts for $20 a throw. However, the technique became publicly known and started to spread rapidly with Web and YouTube tutorials showing the technique popping up across the Arabic-speaking Internet. Videos showing the technique (or at least, something close to it) can be found as far back as April 6th.

As well as targeted attacks against specific Hotmail users, there was also brute force cracking of accounts with two- and three-letter e-mail addresses.

Researchers at Vulnerability Lab discovered the flaw on April 6th, and they reported it to Microsoft on April 20th, with the patch following shortly after. It's also claimed that the flaw was discovered by a Saudi hacker at dev-point.com, and there's certainly plenty of discussion of the attack on that site during the period between Vulnerability Labs' claimed discovery and the decision to notify Microsoft.

If your account has been hacked with this technique, you'll know it instantly, as your password will no longer work. Getting it back may be more difficult, as the standard first step in any account hack is to reset all the recovery information so that the original owner can't retrieve it.

Does this only apply to Hotmail accounts? It looks like it was a flaw with the Live login system itself, not specific to Hotmail.

This is what I was kind of wondering. Fortunately my account is apparently fine, but I get to my hotmail account via simply logging into live.com with my general password (which also accesses my skydrive account and I believe GFWL).

How do they edit the users recovery details without credentials to their linked account? Seems like the vast majority of attacks would result only in a reset password, bit no access to the actual email account? More of a nuisance than anything.

How do they edit the users recovery details without credentials to their linked account? Seems like the vast majority of attacks would result only in a reset password, bit no access to the actual email account? More of a nuisance than anything.

Does this only apply to Hotmail accounts? It looks like it was a flaw with the Live login system itself, not specific to Hotmail.

This is what I was kind of wondering. Fortunately my account is apparently fine, but I get to my hotmail account via simply logging into live.com with my general password (which also accesses my skydrive account and I believe GFWL).

It would have sucked to have had all that breached in one hit.

its all one of the same isn't it? to sign in to xbox services its my hotmail credentials.

So why did Vulnerability Lab wait two weeks before they reported this critical flaw to Microsoft?

I wondered this, especially as the front page summary makes it sound like MS knew about it and sat with its thumb up its arse for two weeks, which it would appear isn't actually true. Still, that's more a gripe with Ars.

Things like this don't leave me feeling great about the prospect of using Live for my main Windows account/authentication, as Microsoft seem to be pushing for in Windows 8.

The convenience of single accounts in the cloud, that access lots of services via one login, is nice, but it has its drawbacks.

This isn't unique to Microsoft or Live accounts -- Google accounts have a similar problem with too many eggs being kept in one basket -- but it'd be nice if Microsoft caught up and offered two-factor authentication, as Google have been doing for a while now. It doesn't solve every problem but it does make taking over an account harder, unless you also take (or intercept) someone's phone.

Yes you don't need to use your live account but Microsoft make it very clear that they prefer you to use it.

If this bug had been discovered after Window 8 rolled out the PR disaster would probably have made the PSN breach look tiny.MS better hope there's nothing else lurking in their code waiting to bite them.

Live is useless at security. It had actually got a 10 character maximum password field (when I sign up a year ago, not sure now)I was like WTF, never heard a password restriction on maximum length that low.

Live is useless at security. It had actually got a 10 character maximum password field (when I sign up a year ago, not sure now)I was like WTF, never heard a password restriction on maximum length that low.

So much for security.

Don't need to worry about that now--my password is at least 13 characters and I like that there is no restriction on the use of symbols.

Live is useless at security. It had actually got a 10 character maximum password field (when I sign up a year ago, not sure now)I was like WTF, never heard a password restriction on maximum length that low.

So much for security.

Don't need to worry about that now--my password is at least 13 characters and I like that there is no restriction on the use of symbols.

You do realize that that's absolutely no help against the above mentioned vulnerability?

That all seemed a bit fishy to me. The user's password wasn't changed, so someone must have found it out using another method (not this one). From the article, he uses the same password in multiple places. This is a fairly stupid idea, but far worse if the password for your email account is the same as the password for a forum you're signed up to using that email address. I don't see how Hotmail can be blamed in that particular case.

That doesn't stop this being a really crappy thing to have happened though, and MS should know better. Their own web development best practice documents note this sort of attack as a potential problem.

Live is useless at security. It had actually got a 10 character maximum password field (when I sign up a year ago, not sure now)I was like WTF, never heard a password restriction on maximum length that low.

So much for security.

Not to defend Microsoft but I've had a 11 character password on my Hotmail account for at least 8 years. I change it monthly but it's been 11 characters each time.

Why would you click on a link to reset password if you know your password? Sounds like the end user helped again with this.

That wasn't what was happening. The hackers were bypassing the token checking mechanism, allowing them to reset an account's password without that link. In fact, had the hacker taken too long to reset the account, an affected user, noticing the reset email right away, probably would have thwarted the hacker if they clicked the link immediately and reset their own password.

Edit: ...only to then probably be attacked with another password reset a minute later.

reminds me of years back when Hotmail just started, and we were in middle school all giddy to get our first ever e-mail addresses, and our teacher helped us create our first accounts, and I realized that peoples passwords were stored in the URL string... had SO much fun pretending to be other people.

The worst part is, it's nigh impossible to delete a hotmail/live account.

Oh?

Hotmail helpfully deleted my account because of inactivity, that was about 12 years ago, but still, fuck them, I have a long memory.

Nah, they only delete your emails, not your account.

Still, I agree. Haven't used my hotmail account since that happened either.

To be fair, they tell you right in the TOS that they will delete your account after 90 days of inactivity. This has been in the TOS for the 11 years that I've had an account.

"Our reasons for cancellation may include ... that you breach this contract, fail to sign in to the Windows Live ID network during a 90-day period..."

Agreed - they have that posted in their policy.

HOWEVER - yore post prompted me to login to my Hotmail Account that I have not touched in several years (read 5 or 6 or more) and logged in with zero problems the first time. Granted any eMail I had in the account has been long gone - but I don't ever use that account anymore.

I was a victim of this hack. I had to fight nearly 2 months with the retarded customer service to get it back: every 2 days i got the same reply to my service request that they did not believe I was the real owner of the hotmail account and then I replied that it was really me, ended up doing that for nearly 30 times.

I created a gmail account and switched all my accounts / registrations / ... to it. Except for xbox live, since they would not allow a switch of email address without having access to the previous email address. Live was the only service that I as unable to switch. Even when calling to the xbox live service agent he was unable to help me. So I was only able to recover xbox live after winning the fight with hotmail customer service. Otherwise it would have been lost forever. Thx Microsoft :-( .

Don't need to worry about that now--my password is at least 13 characters and I like that there is no restriction on the use of symbols.

Unfortunately, not all of Microsoft's things always sing from the same hymn sheet. It may have been fixed in the last year or so (I haven't tried it recently), but when I got my first Games For Windows Live game I found the stupid client kept getting login errors, even though the password was right and worked on the web. After about an hour of swearing, I realised the GFWL client was truncating the password. Sigh.

I guess that's another problem with too many different things using the same credentials (especially when there is no real reason for them to do so).

Don't need to worry about that now--my password is at least 13 characters and I like that there is no restriction on the use of symbols.

Unfortunately, not all of Microsoft's things always sing from the same hymn sheet. It may have been fixed in the last year or so (I haven't tried it recently), but when I got my first Games For Windows Live game I found the stupid client kept getting login errors, even though the password was right and worked on the web. After about an hour of swearing, I realised the GFWL client was truncating the password. Sigh.

I guess that's another problem with too many different things using the same credentials (especially when there is no real reason for them to do so).

I've had that same problem on a different (not MS) service. Damn it was frustrating. I think might have been Twitter, but maybe not.

I believe this or another vulnerability has been around for a long time. I know several people who had their Hotmail accounts hacked last year and from discussions of their individual circumstances it is very unlikely their passwords were compromised by a virus, rootkit, etc. In some cases they hadn't even logged in to Hotmail in months from ANY computer.

Microsoft in general is just $h** for security. Always has and always will be and that is why I have no hotmail address.

Don't need to worry about that now--my password is at least 13 characters and I like that there is no restriction on the use of symbols.

Unfortunately, not all of Microsoft's things always sing from the same hymn sheet. It may have been fixed in the last year or so (I haven't tried it recently), but when I got my first Games For Windows Live game I found the stupid client kept getting login errors, even though the password was right and worked on the web. After about an hour of swearing, I realised the GFWL client was truncating the password. Sigh.

I guess that's another problem with too many different things using the same credentials (especially when there is no real reason for them to do so).

I've had that same problem on a different (not MS) service. Damn it was frustrating. I think might have been Twitter, but maybe not.

I've also encountered sites with password length restrictions. The scariest part of this is the implication that they're storing the password itself (probably in clear text) rather than hashing it.

I don't think there's ever a legitimate reason for there to be a maximum-length or character-set restrictions, other than those that break the standard web interface, on a password because they should always be hashed.